Introducing Cookie Agent: Flag all miscategorized cookies with real-time research

Do you know why most websites in the US are not privacy compliant? Websites are still tracking users with advertising cookies after users opt out. Of the top 100 US websites Privado AI scanned for privacy compliance, 70% still used advertising cookies after opt outs. 

To help companies categorize cookies with 100% accuracy and prevent privacy violations, we built the cookie agent. The cookie agent creates a real-time database of all cookies found on your websites and ensures our Web Auditor flags 100% of miscategorized cookies. 

Hundreds of thousands of unique cookies are currently live on the internet, yet consent management platforms (CMPs) rely on static databases of only 15,000-20,000 cookies for categorization. 

With Privado AI’s cookie agent researching the internet to correctly categorize each cookie, customers found that 34% of cookies were miscategorized by their CMP. Of that 34%, the cookie agent found that 17% were actually advertising cookies creating privacy compliance risk. 

Prior to the cookie agent, Privado AI Web Auditor still flagged all non-compliant pixels and scripts that fired without proper consent by mapping the vendor of each pixel/script to its official IAB vendor category. To support remediating the cookies coming from these vendors, Privado AI previously relied on the CMP cookie categorization. 

Now customers can quickly remediate all cookie compliance issues with confidence because the cookie agent ensures each issue accurately specifies the cookie that needs to be recategorized.  

Why CMPs miscategorize so many cookies and cause privacy violations

The primary reason CMPs miscategorize cookies is they rely on static, outdated cookie databases. These databases are typically not updated when vendors periodically rename cookies or add new cookies for new capabilities. Cookies from newer or more niche vendors are often missing entirely from these databases. 

For cookies not found in their database, CMPs typically make an attempt to categorize the cookie by its name. That works for some cookies where the vendor name is indicated, e.g., ga{id} where “ga” stands for Google Analytics. It doesn’t work for many other cookies where nothing can be inferred, e.g., uid_123. To make cookie categorization even more complicated, the same cookie name can be used by different vendors for different purposes; this is when an agent is critical for gathering more context. 

With so many cookies miscategorized, some teams try to manually categorize cookies by attempting to do their own research; this, of course, does not scale. It’s imprecise and can’t keep up with new cookies and cookie changes. 

Lastly, some miscategorization is done deliberately by marketing teams to improve marketing performance and measurement. The reality is that privacy compliance typically conflicts with how marketing teams are goaled. 

How the cookie agent ensures categorization and risk identification is 100% accurate

In short, the cookie agent conducts more thorough research than a privacy analyst would for an unknown cookie, and the agent does it for every cookie on a website in a matter of minutes.

By researching every cookie identified, our Web Auditor solution builds a complete, up-to-date cookie database each time Privado AI scans a website. With this reliable backbone of information, Web Auditor is able to

• Flag all cookies not compliant with each location's privacy requirements, e.g., US states or European countries 
• Facilitate remediation by accurately specifying the exact cookie id that should be blocked and tying it to the pixel or script is generating the cookie
• Identify cookie miscategorization that can improve website or marketing performance, e.g., advertising cookie that should be functional
• Create a single source of truth for accurate cookie categorization

Here’s how the agent does it.

Categorization

• Categorizes cookie by cross-referencing several open-source cookie database (method for 98% of unique cookies identified)
• If <70% confidence from database research, categorizes cookie from searching for vendor documentation and vendor purpose in the IAB vendor list
• If vendor still cannot be identified, determines category by researching how other websites have categorized that cookie
• Marks cookie categorization confidence as low when lacking sufficient information (0.2% of unique cookies identified)  

Risk identification

• Creates privacy issue for each privacy check the cookie fails using its verified cookie categorization, e.g., targeting/advertising cookie used in California after opt out
• Links non-compliant cookies to each privacy issue created across websites and locations scanned

Evidence

• Summarizes categorization reasoning for all cookies identified
• Links reasoning to internet sources used

Remediation

• Generates tickets with specific remediation guidance to send to the web team via Jira, Linear, etc. 
• Refreshes research and updates privacy issues after each website scan

Start eliminating non-compliant cookies today with Web Auditor

• Get started with a free website scan to identify all live privacy risks
• Onboard Web Auditor in a day; no technical implementation required
• To initiate website scans, simply input the URL and the relevant location
• Learn more

What else is new?

• App Auditor updates: 
  
  • App store URL scanning: Now scan iOS and Android apps via app store URLs (in addition to app store files, i.e., IPA for iOS or APK/AAB for Android)
  • App version control: Trigger app scans on the latest version when a new version releases in the app store ‍
• Wren launch: Hire our new AI privacy analyst to run your assessment processes end-to-end. By integrating with your existing tools and leveraging the latest AI agent technology, Wren can autonomously capture potential risks, conduct research, recommend action, and populate entire assessments based on your company’s policies and regulatory requirements.